Re: [systemd-devel] Portable service and bind paths
On Mo, 06.01.20 20:44, Claes H (claesatw...@gmail.com) wrote: > On Mon, Jan 6, 2020 at 1:40 PM Lennart Poettering > wrote: > > > > If possible use DynamicUser=1, i.e. have a short-lived user that only > > exists while your service is running. > > > > For some usecases that doesn#t work though. There's a TODO list item, > > to add AllocateUser= as new switch to create a user persistently on > > first start, as an alternative for such cases. Nobody worked on that > > yet though. And of course, it's much less sexy since for such users > > the portable services would suddenly leave traces on the system, in a > > way that is never cleaned up... > > > > I will see if I can get DynamicUser to work. If I understand that > correctly, it is mainly useful when the service is truly self > contained / having its own sandbox. Yes. If the service is supposed to for example write files visible to other services that DynamicUser=1 doesn't work really. > I want the service and myself to be able to read and write to the > files in its configuration / runtime directory. That is why I have > Bind-mounted it into the service's file system. Need to read up on the > state directory concept for DynamicUser. But it seems complex. > > The AllocateUser concept seems very useful for when the usecase is to > bundle up a fast moving application with all its dependencies. I would > not mind so much about the traces that can be left. If it is > implemented, probably should include something like AllocateGroup > too. Would be delighted to review a patch for that ;-) Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Portable service and bind paths
On Mon, Jan 6, 2020 at 1:40 PM Lennart Poettering wrote: > > If possible use DynamicUser=1, i.e. have a short-lived user that only > exists while your service is running. > > For some usecases that doesn#t work though. There's a TODO list item, > to add AllocateUser= as new switch to create a user persistently on > first start, as an alternative for such cases. Nobody worked on that > yet though. And of course, it's much less sexy since for such users > the portable services would suddenly leave traces on the system, in a > way that is never cleaned up... > I will see if I can get DynamicUser to work. If I understand that correctly, it is mainly useful when the service is truly self contained / having its own sandbox. I want the service and myself to be able to read and write to the files in its configuration / runtime directory. That is why I have Bind-mounted it into the service's file system. Need to read up on the state directory concept for DynamicUser. But it seems complex. The AllocateUser concept seems very useful for when the usecase is to bundle up a fast moving application with all its dependencies. I would not mind so much about the traces that can be left. If it is implemented, probably should include something like AllocateGroup too. By the way, after working with portable services, I am impressed. Simpler than the alternatives (after some initial confusion on my part.) Best regards Claes -- C l a e sH o l m e r s o n ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Portable service and bind paths
On So, 05.01.20 19:25, Claes H (claesatw...@gmail.com) wrote: > Turns out the problem was not with the mount - that was working well. > Instead it was a user problem and I did not realize the process ran as > root and used a different home directory. > When I added the user homeassistant in the host and added it to the > User= configuration in the service file it worked > But this required the "admin" of the host to do something additional, > it did not work "out of the box". > > I was thinking - how is it supposed to work with a portable service, > which user is it recommended to run as? > Maybe portablectl attach should create the user the service has > declared, if it does not exist already? > Or should is there be a general user that portable services to run as? > Interested to hear if there is any recommendation for how a portable > service "packager" should define the user aspect of the service If possible use DynamicUser=1, i.e. have a short-lived user that only exists while your service is running. For some usecases that doesn#t work though. There's a TODO list item, to add AllocateUser= as new switch to create a user persistently on first start, as an alternative for such cases. Nobody worked on that yet though. And of course, it's much less sexy since for such users the portable services would suddenly leave traces on the system, in a way that is never cleaned up... Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Portable service and bind paths
On Mon, 6 Jan 2020, Claes H wrote: > Turns out the problem was not with the mount - that was working well. > Instead it was a user problem and I did not realize the process ran as > root and used a different home directory. > When I added the user homeassistant in the host and added it to the > User= configuration in the service file it worked > But this required the "admin" of the host to do something additional, > it did not work "out of the box". > > I was thinking - how is it supposed to work with a portable service, > which user is it recommended to run as? > Maybe portablectl attach should create the user the service has > declared, if it does not exist already? > Or should is there be a general user that portable services to run as? > Interested to hear if there is any recommendation for how a portable > service "packager" should define the user aspect of the service > > Best regards > Claes This seems like an ideal use-case for DynamicUser=. Don't specify any User= or Group= directly; just let systemd allocate them automatically. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Portable service and bind paths
Turns out the problem was not with the mount - that was working well. Instead it was a user problem and I did not realize the process ran as root and used a different home directory. When I added the user homeassistant in the host and added it to the User= configuration in the service file it worked But this required the "admin" of the host to do something additional, it did not work "out of the box". I was thinking - how is it supposed to work with a portable service, which user is it recommended to run as? Maybe portablectl attach should create the user the service has declared, if it does not exist already? Or should is there be a general user that portable services to run as? Interested to hear if there is any recommendation for how a portable service "packager" should define the user aspect of the service Best regards Claes On Sun, Jan 5, 2020 at 1:46 AM Claes H wrote: > > Hi, > I am experimenting with a portable service for Home Assistant. I think > embedding it as a portable service would be a good way to isolate its > quite extensive dependencies. > > But I would like to bind mount a directory on the host into the > service and I can't figure it out. > The portable service file looks like below but the bind path does not > seem to take effect. > > Is this maybe the wrong way to go? I am able to bind mount it if I > start using a regular service, that calls systemd-nspawn (like > ExecStart=/usr/bin/systemd-nspawn -M homeassistant /srv/homeassistant/bin/hass > ) and has a corresponding .nspawn file with Bind attribute. > > I also read in the documentation that .nspawn files are not among the > unit fies copied out from the image. What is the recommended way to go > about with this for a portable service? > > best regards, > Claes > > > [Unit] > Description=Home Assistant (portable service) > After=network-online.target > > [Service] > Type=simple > ExecStart=/srv/homeassistant/bin/hass > Restart=on-failure > RestartSec=5s > BindPaths=/home/claes/projects/homeassistant/configuration-.homeassistant:/home/homeassistant/.homeassistant > > [Install] > WantedBy=multi-user.target > > -- > C l a e sH o l m e r s o n -- C l a e sH o l m e r s o n ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel